You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2006/11/11 00:13:12 UTC
[Bug 5175] New: Correct selinux context for spamd ssl certificates
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5175
Summary: Correct selinux context for spamd ssl certificates
Product: Spamassassin
Version: 3.1.4
Platform: PC
OS/Version: Linux
Status: NEW
Severity: minor
Priority: P5
Component: spamc/spamd
AssignedTo: dev@spamassassin.apache.org
ReportedBy: ajbostian@virginia.edu
spamd will not start from the init script if selinux is enforcing and ssl is
enabled. This appears to be a case of not having the correct selinux context on
the certificates. What is the correct context?
Setup:
Fedora Core 6 (i386)
spamassassin-3.1.4-1.fc6.i386.rpm
Spamd is invoked with the options:
--daemonize --ssl --server-key /etc/pki/tls/spamd/myserver.key --server-cert
/etc/pki/tls/spamd/myserver.crt
The contents of /etc/pki/tls/spamd are:
# ls -laZ /etc/pki/tls/spamd
drwxr-xr-x root root system_u:object_r:cert_t .
drwxr-xr-x root root system_u:object_r:cert_t ..
-r--r--r-- root root system_u:object_r:cert_t ca.crt
-r--r--r-- root root system_u:object_r:cert_t myserver.crt
-r--r----- root root system_u:object_r:cert_t myserver.key
(1) With selinux set to "Enforcing" under the Fedora "Targeted" policy, spamd
fails to start from the init script with the error message:
Starting spamd: [5608] error: spamd: server key file
/etc/pki/tls/spamd/myserver.key does not exist
spamd: server key file /etc/pki/tls/spamd/myserver.key does not exist
[FAILED]
(2) Under the same conditions as (1), spamd will start when run from the command
line as root.
(3) With selinux set to "Permissive," spamd will start from the init script.
I assume that "spamc -S" is affected similarly, though I haven't tested it.
I've tried a few other selinux user contexts (root, user_u) with no success.
Any thoughs?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5175] Correct selinux context for spamd ssl certificates
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5175
felicity@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From felicity@apache.org 2006-11-10 15:21 -------
I'm not sure what the answer is to this. Generally for this type of problem,
you should talk to the users@ list, and I'd also consider talking to the Fedora
support groups since you're using their stuff including their SA package.
But it's not an SA bug, so closing the ticket. :)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.